Not Because It Is Easy, But Because We Can


Twelve barrels of the world’s most alcoholic whisky, or enough to wipe out a medium-size army, will be produced when the Bruichladdich distillery revives the ancient tradition of quadruple-distilling today. With an alcohol content of 92 per cent, the drink may not be the most delicate single malt ever produced but it is by far and away the world’s strongest. Malt whisky usually has an alcohol content of between 40 per cent and 63.5 per cent.

Mark Reynier, Bruichladdich’s managing director, said: “We are doing this because we have this ancient recipe and therefore we can. It is unlikely that we will ever produce any more quadruple distilled malt again, so we expect it to become much sought after.”

(From the Times Online, via DM. I wonder if they’re patenting the process?)

Patents and Innovation

dog-cakes.jpgIn responding to “New Products, Emerging from Chaos,” Albatross makes a good comment about how the RSA patent expiry didn’t lead to an immediate outpouring of new products. Albratross also mentions how transaction costs encourage people to look for new ways to solve a problem. Mordaxus says there has been an explosion in the use of cryptography since the RSA patent expired — it just took a while.

Even though neither commenter mentioned it, I want to start with the issue of language, which is the elephant in the room. The most trenchant critique of the system involves language. There are important disconnects between the words used to describe the patent system, and the reality of the system.

The way the courts interpret “new” and “non-obvious” has lost all relation to the plain language meaning of the words. That disconnect drives a great deal of anger at and disdain for the system. The form in which software patents have evolved means the original bargain, of disclosure for protection, does not work in my field. Software engineers don’t read patents. They are, almost without exception, incomprehensible. I recall being shocked to hear that chemists actually read each other’s patents.

Continue reading

On Computers and Irony

I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident.

Similarly, while it’s quite hard to make code that runs and does what you want, it seems to be quite hard to make code that does all that, and also doesn’t run when you don’t want it to. As is illustrated by “OSx86 10.4.4 Security Broken. (Guess Who Done It?).” In this case, the security they’re referring to is the ability of the OS to only run on Apple hardware.

Ironic. It feels like it ought to be easier.

How Much Does A Firewall Reduce Your Risk?

firewall-shirt.jpgIn a recent post, “The Future Belongs To The Quants,” Chris suggests that risk mitigations must be quantifiable. My post “In The Future, Everyone Will Be Audited for 20 Years,” lists what the FTC is requiring for risk mitigation. It seems none of it is quantifiable. Chris?




(Incidentally, I think this iptables shirt may be the single geekiest t-shirt I have ever seen, including the vendor room at probably 10 Defcons. From lilit’s photostream.)

Analysis of University of Texas, 4,000 encrypted SSNs, Laptop

admit-nothing.jpgThere is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened:

The private health information and Social Security numbers of nearly 4,000 patients of the University of Texas M.D. Anderson Cancer Center are at risk after a laptop containing their insurance claims was stolen.

Patients and patients’ families were notified this month of the theft, which occurred in November at the Atlanta home of an employee of PricewaterhouseCoopers…

“The laptop that was stolen does have sophisticated encryption software, so it will be very difficult for someone to access patient information,” Carrie Lyons, M.D. Anderson’s chief privacy officer, wrote in a Jan. 30 letter. “Even though it will be difficult for someone to access patient information, we feel you should be informed of this incident.”

Continue reading

Relentless Navel Gazing, Part 8

We made a few changes yesterday. There’s now a special archive page for the “Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars” series of posts. I’ve gotten more kudos for that series than anything else, so added a way for you to read them all in the order they were presented. Enjoy!

We’ve moved to a Creative Commons Non-Commercial, Attribution license, meaning (roughly) you’re free to take this all and mash it up as you see fit, as long as you credit us and aren’t doing it for money.

Perhaps less interesting, but also nice is a move from the numbered posts to more readble URLs, which I’d wanted to do for a while, but was worried about archival links. Thanks to the lovely and talented Lisa, we’re all set (with a lot of redirects). It makes it easier to work with the links.

Security Breach Resources

I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on.
There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful.
The URL is
I am clearly not web designer (nor do I play one on TV!), but I wanted to play around with iWeb, so there you have it. I’d be happy to hear any feedback.
BTW — I already know the images are too large. Apple took my 40K JPGs and made them nice fat PNGs. I’ll fix it soonish.

Dear Lazyweb

I’m looking for code that will parse the emails sent by online travel agencies and airlines. Ideally, it would be Python code that allows me invoke something like itinerary.get_next_flight(msg) and get a dictionary of (to, from, airline, flight #, date), etc. Does such a library exist?